RFID tags with public and private inventory states

ABSTRACT

RFID tags capable of transitioning between a private state and one or more public states are provided. In the private state, tags may participate in an inventory round without restriction. In a public state, tags may be prevented from participating in an inventory round, allowed to participate without providing actual identifying information, or allowed to participate providing an alternate identifier. Whether and how the tag responds in a public state may depend on certain conditions including if one or more of the tag&#39;s flags are asserted or deasserted. A reader may select a public tag for inventorying by verifying itself, and the tag then asserting or deasserting one or more of its flags accordingly. The asserted or deasserted flag(s) may be used to determine whether and how a tag in a public state participates in an inventory round.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of co-pending U.S. patent applicationSer. No. 16/556,587, filed Aug. 30, 2019, which is a continuation ofU.S. patent application Ser. No. 16/056,382, filed on Aug. 6, 2018,which is a continuation-in-part under 35 U.S.C. § 120 of U.S. patentapplication Ser. No. 15/690,597, filed on Aug. 30, 2017, which is acontinuation of U.S. patent application Ser. No. 13/854,580 filed onApr. 1, 2013, which is a continuation of U.S. patent application Ser.No. 12/697,895 filed on Feb. 1, 2010, which claims the benefit of U.S.Prov. Pat. Appl. Ser. No. 61/149,654 filed on Feb. 3, 2009. Thedisclosures of these patent applications are hereby incorporated byreference in their entireties.

BACKGROUND

Radio-Frequency Identification (RFID) systems typically include RFIDreaders, also known as RFID reader/writers or RFID interrogators, andRFID tags. RFID systems can be used in many ways for locating andidentifying objects to which the tags are attached. RFID systems areuseful in product-related and service-related industries for trackingobjects being processed, inventoried, or handled. In such cases, an RFIDtag is usually attached to an individual item, or to its package.

In principle, RFID techniques entail using an RFID reader to inventoryone or more RFID tags, where inventorying involves at least singulatinga tag and receiving an identifier from the singulated tag. “Singulated”is defined as a reader singling-out one tag, potentially from amongmultiple tags, for a reader-tag dialog. “Identifier” is defined as anumber identifying the tag or the item to which the tag is attached,such as a tag identifier (TID), electronic product code (EPC), etc. Thereader transmitting a Radio-Frequency (RF) wave performs theinterrogation. The RF wave is typically electromagnetic, at least in thefar field. The RF wave can also be predominantly electric or magnetic inthe near or transitional near field. The RF wave may encode one or morecommands that instruct the tags to perform one or more actions.

In typical RFID systems, an RFID reader transmits a modulated RFinventory signal (a command), receives a tag reply, and transmits an RFacknowledgement signal responsive to the tag reply. A tag that sensesthe interrogating RF wave may respond by transmitting back another RFwave. The tag either generates the transmitted back RF wave originally,or by reflecting back a portion of the interrogating RF wave in aprocess known as backscatter. Backscatter may take place in a number ofways.

The reflected-back RF wave may encode data stored in the tag, such as anumber. The response is demodulated and decoded by the reader, whichthereby identifies, counts, or otherwise interacts with the associateditem. The decoded data can denote a serial number, a price, a date, atime, a destination, an encrypted message, an electronic signature,other attribute(s), any combination of attributes, and so on.Accordingly, when a reader receives tag data it can learn about the itemthat hosts the tag and/or about the tag itself.

An RFID tag typically includes an antenna section, a radio section, apower-management section, and frequently a logical section, a memory, orboth. In some RFID tags the power-management section included an energystorage device such as a battery. RFID tags with an energy storagedevice are known as battery-assisted, semi-active, or active tags. OtherRFID tags can be powered solely by the RF signal they receive. Such RFIDtags do not include an energy storage device and are called passivetags. Of course, even passive tags typically include temporary energy-and data/flag-storage elements such as capacitors or inductors.

In some circumstances tagged items have their tags removed, such as atpoint-of-sale for tagged retail items or when an item is removed fromtagged packaging and the packaging is destroyed. In other circumstancestagged items retain their tags for specific or future uses such asretail-item returns to a store or tagged identity cards. In some cases,especially when the tag is retained on the item, the owner of the taggeditem may not want unauthorized readers to be able to read or track theitem, such as for privacy reasons. Most conventional tags are alwayscapable of being inventoried; those that inhibit regular inventorytypically require a password-based challenge-response authenticationwith a reader before allowing themselves to be inventoried. The formertag types pose privacy risks to their owners; the latter tag typesrequire complex password-based authentication that adds complexity tothe reader and to the tag and makes it difficult to use the tags unlessthe interrogating reader has knowledge of both the authenticationalgorithm and the tag's secret password.

BRIEF SUMMARY

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended asan aid in determining the scope of the claimed subject matter.

Embodiments are directed to RFID tags capable of transitioning between aprivate state and one or more public states. In the private state, a tagmay participate in an inventory round without restriction. In the publicstate or states the tag may be prevented from participating in aninventory round, allowed to participate in an inventory round butprevented from providing actual identifying information, or allowed toparticipate in the inventory round. Whether and how the tag responds inthe public state may depend on certain conditions, such as if one ormore of the tag's flags are asserted or deasserted. Embodiments aredirected to tags being first selected in the public state forinventorying by verifying that the reader is authentic, genuine, orknows some information about the tag, and the tag then asserting ordeasserting one or more of its flags accordingly. Embodiments arefurther directed to the asserted or deasserted flag or flags being thoseflags that determine whether and how a tag in the public stateparticipates in an inventory round. According to further embodiments, atag in the public state or states that is prevented from providing anactual identifier may respond to a reader with an alternative identifierin place of the tag's actual identifier.

According to one example, a method for an RFID integrated circuit (IC)configurable to operate in a private state and in a public state, and totransition at least from the private state to the public state, todetermine whether to respond to an inventorying command to a reader, isprovided. The method may include, when the IC is in the private state,receiving the inventorying command and responding to the inventoryingcommand regardless of whether the reader is verified or unverified. Themethod may further include, when the IC is in the public state,receiving the inventorying command and responding to the inventoryingcommand if the reader is verified, else not responding to theinventorying command.

According to another example, a method for an RFID IC configurable tooperate in a private state and in a public state, and to transition atleast from the private state to the public state, to determine whetherto provide an identifier to a reader, is provided. The method mayinclude, when the IC is in the private state, receiving a request forthe identifier from the reader and providing the identifier regardlessof whether the reader is verified or unverified. The method may furtherinclude, when the IC is in the public state, receiving the request forthe identifier from the reader and providing the identifier if thereader is verified, else not providing the identifier.

According to a further example, an RFID IC configured to operate in aprivate state and in a public state, and to transition at least from theprivate state to the public state, is provided. The IC may include atransceiver configured to exchange radio frequency (RF) signals with areader and a processor coupled to the transceiver. The processor may beconfigured to, when the IC is operating in the private state, receivingan inventorying command from the reader via the transceiver and respondto the inventorying command via the transceiver regardless of whetherthe reader is verified or unverified. The processor may be furtherconfigured to, when the IC is operating in the public state, receive theinventorying command from the reader via the transceiver, receive a codevia the transceiver prior to receiving the inventorying command orincluded in the inventorying command, determined whether the receivedcode is valid, and consider the reader verified and respond to theinventorying command if the received code is valid else not respond tothe inventorying command.

These and other features and advantages will be apparent from a readingof the following detailed description and a review of the associateddrawings. It is to be understood that both the foregoing generaldescription and the following detailed description are explanatory onlyand are not restrictive of aspects as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The following Detailed Description proceeds with reference to theaccompanying drawings, in which:

FIG. 1 is a block diagram of components of an RFID system.

FIG. 2 is a diagram showing components of a passive RFID tag, such as atag that can be used in the system of FIG. 1.

FIG. 3 is a conceptual diagram for explaining a half-duplex mode ofcommunication between the components of the RFID system of FIG. 1.

FIG. 4 is a block diagram showing a detail of an RFID tag, such as theone shown in FIG. 1.

FIGS. 5A and 5B illustrate signal paths during tag-to-reader andreader-to-tag communications in the block diagram of FIG. 4.

FIG. 6 illustrates how a tag can be switched between a public state andprivate state according to embodiments.

FIG. 7 illustrates how a tag can be switched from a private state to aplurality of public states and back according to embodiments.

FIG. 8 is a diagram illustrating how a tag physical memory such as thememory shown in FIG. 4 can be partitioned and organized.

FIG. 9 illustrates how tags participate in inventory rounds according tothe Gen2 Specification.

FIG. 10A through 10D illustrate example tag behaviors based on flagvalues and tag state according to various embodiments.

FIG. 11 illustrates an example of how select flag value and tag stateresult in tag participation or non-participation in inventory roundsand/or whether the tag responds with its actual identifier according toan example embodiment.

FIG. 12 illustrates example tag state and tag-reader interactionsaccording to some embodiments.

FIG. 13 is a flowchart for a process of an RFID tag transitioning from aprivate to a public state or vice versa according to embodiments.

FIG. 14 is a flowchart for a process of an RFID tag asserting ordeasserting its flag(s) according to embodiments.

FIG. 15 is a flowchart for a process of an RFID tag behavior during aninventory round based on tag flag value(s) and tag state according toembodiments.

DETAILED DESCRIPTION

In the following detailed description, references are made to theaccompanying drawings that form a part hereof, and in which are shown byway of illustration specific embodiments or examples. These embodimentsor examples may be combined, other aspects may be utilized, andstructural changes may be made without departing from the spirit orscope of the present disclosure. The following detailed description istherefore not to be taken in a limiting sense, and the scope of thepresent invention is defined by the appended claims and theirequivalents.

As used herein, “memory” is one of ROM, RAM, SRAM, DRAM, NVM, EEPROM,FLASH, Fuse, MRAM, FRAM, and other similar volatile and nonvolatileinformation-storage technologies as will be known to those skilled inthe art. Some portions of memory may be writeable and some not.“Command” refers to a reader request for one or more tags to perform oneor more actions, and includes one or more tag instructions preceded by acommand identifier or command code that identifies the command and/orthe tag instructions. “Instruction” refers to a request to a tag toperform a single explicit action (e.g., write data into memory).“Program” refers to a request to a tag to perform a set or sequence ofinstructions (e.g., read a value from memory and, if the read value isless than a threshold then lock a memory word). “Protocol” refers to anindustry standard for communications between a reader and a tag (andvice versa), such as the Class-1 Generation-2 UHF RFID Protocol forCommunications at 860 MHz-960 MHz by GS1 EPCglobal, Inc. (“Gen2Specification”), versions 1.2.0 and 2.0 of which are hereby incorporatedby reference.

FIG. 1 is a diagram of the components of a typical RFID system 100,incorporating embodiments. An RFID reader 110 transmits an interrogatingRF signal 112. RFID tag 120, which is near RFID reader 110, sensesinterrogating RF signal 112 and generates signal 126 in response. RFIDreader 110 senses and interprets signal 126. The signals 112 and 126 mayinclude RF waves and/or non-propagating RF signals (e.g., reactivenear-field signals).

Reader 110 and tag 120 communicate via signals 112 and 126. Whencommunicating, each encodes, modulates, and transmits data to the other,and each receives, demodulates, and decodes data from the other. Thedata can be modulated onto, and demodulated from, RF waveforms. The RFwaveforms are typically in a suitable range of frequencies, such asthose near 900 MHz, 13.56 MHz, and so on.

The communication between reader and tag uses symbols, also called RFIDsymbols. A symbol can be a delimiter, a calibration value, and so on.Symbols can be implemented for exchanging binary data, such as “0” and“1”, if that is desired. When symbols are processed by reader 110 andtag 120 they can be treated as values, numbers, and so on.

Tag 120 can be a passive tag, or an active or battery-assisted tag(i.e., a tag having its own power source). When tag 120 is a passivetag, it is powered from signal 112.

FIG. 2 is a diagram of an RFID tag 220, which may function as tag 120 ofFIG. 1. Tag 220 is drawn as a passive tag, meaning it does not have itsown power source. Much of what is described in this document, however,applies also to active and battery-assisted tags.

Tag 220 is typically (although not necessarily) formed on asubstantially planar inlay 222, which can be made in many ways known inthe art. Tag 220 includes a circuit which may be implemented as an IC224. In some embodiments IC 224 is implemented in complementarymetal-oxide semiconductor (CMOS) technology. In other embodiments IC 224may be implemented in other technologies such as bipolar junctiontransistor (BJT) technology, metal-semiconductor field-effect transistor(MESFET) technology, and others as will be well known to those skilledin the art. IC 224 is arranged on inlay 222.

Tag 220 also includes an antenna for exchanging wireless signals withits environment. The antenna is often flat and attached to inlay 222. IC224 is electrically coupled to the antenna via suitable IC contacts (notshown in FIG. 2). The term “electrically coupled” as used herein maymean a direct electrical connection, or it may mean a connection thatincludes one or more intervening circuit blocks, elements, or devices.The “electrical” part of the term “electrically coupled” as used in thisdocument shall mean a coupling that is one or more of ohmic/galvanic,capacitive, and/or inductive. Similarly, the terms “electricallyisolated” or “electrically decoupled” as used herein mean thatelectrical coupling of one or more types (e.g., galvanic, capacitive,and/or inductive) is not present, at least to the extent possible. Forexample, elements that are electrically isolated from each other aregalvanically isolated from each other, capacitively isolated from eachother, and/or inductively isolated from each other. Of course,electrically isolated components will generally have some unavoidablestray capacitive or inductive coupling between them, but the intent ofthe isolation is to minimize this stray coupling to a negligible levelwhen compared with an electrically coupled path.

IC 224 is shown with a single antenna port, comprising two IC contactselectrically coupled to two antenna segments 226 and 228 which are shownhere forming a dipole. Many other embodiments are possible using anynumber of ports, contacts, antennas, and/or antenna segments.

Diagram 250 depicts top and side views of tag 252, formed using a strap.Tag 252 differs from tag 220 in that it includes a substantially planarstrap substrate 254 having strap contacts 256 and 258. IC 224 is mountedon strap substrate 254 such that the IC contacts on IC 224 electricallycouple to strap contacts 256 and 258 via suitable connections (notshown). Strap substrate 254 is then placed on inlay 222 such that strapcontacts 256 and 258 electrically couple to antenna segments 226 and228. Strap substrate 254 may be affixed to inlay 222 via pressing, aninterface layer, one or more adhesives, or any other suitable means.

Diagram 260 depicts a side view of an alternative way to place strapsubstrate 254 onto inlay 222. Instead of strap substrate 254's surface,including strap contacts 256/258, facing the surface of inlay 222, strapsubstrate 254 is placed with its strap contacts 256/258 facing away fromthe surface of inlay 222. Strap contacts 256/258 can then be eithercapacitively coupled to antenna segments 226/228 through strap substrate254, or conductively coupled using a through-via which may be formed bycrimping strap contacts 256/258 to antenna segments 226/228. In someembodiments, the positions of strap substrate 254 and inlay 222 may bereversed, with strap substrate 254 mounted beneath inlay 222 and strapcontacts 256/258 electrically coupled to antenna segments 226/228through inlay 222. Of course, in yet other embodiments strap contacts256/258 may electrically couple to antenna segments 226/228 through bothinlay 222 and strap substrate 254.

In operation, the antenna receives a signal and communicates it to IC224, which may both harvest power and respond if appropriate, based onthe incoming signal and the IC's internal state. If IC 224 usesbackscatter modulation then it responds by modulating the antenna'sreflectance, which generates response signal 126 from signal 112transmitted by the reader. Electrically coupling and uncoupling the ICcontacts of IC 224 can modulate the antenna's reflectance, as canvarying the admittance of a shunt-connected circuit element which iscoupled to the IC contacts. Varying the impedance of a series-connectedcircuit element is another means of modulating the antenna'sreflectance. If IC 224 is capable of transmitting signals (e.g., has itsown power source, is coupled to an external power source, and/or is ableto harvest sufficient power to transmit signals), then IC 224 mayrespond by transmitting response signal 126.

In the embodiments of FIG. 2, antenna segments 226 and 228 are separatefrom IC 224. In other embodiments, the antenna segments mayalternatively be formed on IC 224. Tag antennas according to embodimentsmay be designed in any form and are not limited to dipoles. For example,the tag antenna may be a patch, a slot, a loop, a coil, a horn, aspiral, a monopole, microstrip, stripline, or any other suitableantenna.

An RFID tag such as tag 220 is often attached to or associated with anindividual item or the item packaging. An RFID tag may be fabricated andthen attached to the item or packaging, or may be partly fabricatedbefore attachment to the item or packaging and then completelyfabricated upon attachment to the item or packaging. In someembodiments, the manufacturing process of the item or packaging mayinclude the fabrication of an RFID tag. In these embodiments, theresulting RFID tag may be integrated into the item or packaging, andportions of the item or packaging may serve as tag components. Forexample, conductive item or packaging portions may serve as tag antennasegments or contacts. Nonconductive item or packaging portions may serveas tag substrates or inlays. If the item or packaging includesintegrated circuits or other circuitry, some portion of the circuitrymay be configured to operate as part or all of an RFID tag IC. An “RFIDIC” may refer to an item capable of receiving and responding to RFIDsignals. For example, an item having a separate but attached RFID tagcan be considered an RFID IC, as is an item having an integrated RFIDtag or an item manufactured to have the capabilities of an RFID tag. Astandalone RFID tag may also be referred to as an “RFID IC”.

The components of the RFID system of FIG. 1 may communicate with eachother in any number of modes. One such mode is called full duplex, whereboth reader 110 and tag 120 can transmit at the same time. In someembodiments, RFID system 100 may be capable of full duplex communicationif tag 120 is configured to transmit signals as described above. Anothersuch mode, suitable for passive tags, is called half-duplex, and isdescribed below.

FIG. 3 is a conceptual diagram 300 for explaining half-duplexcommunications between the components of the RFID system of FIG. 1, inthis case with tag 120 implemented as passive tag 220 of FIG. 2. Theexplanation is made with reference to a TIME axis, and also to a humanmetaphor of “talking” and “listening”. The actual technicalimplementations for “talking” and “listening” are now described.

RFID reader 110 and RFID tag 120 talk and listen to each other by takingturns. As seen on axis TIME, when reader 110 talks to tag 120 thecommunication session is designated as “R→T”, and when tag 120 talks toreader 110 the communication session is designated as “T→R”. Along theTIME axis, a sample R→T communication session occurs during a timeinterval 312, and a following sample T→R communication session occursduring a time interval 326. Interval 312 may typically be of a differentduration than interval 326—here the durations are shown approximatelyequal only for purposes of illustration.

According to blocks 332 and 336, RFID reader 110 talks during interval312, and listens during interval 326. According to blocks 342 and 346,RFID tag 120 listens while reader 110 talks (during interval 312), andtalks while reader 110 listens (during interval 326).

In terms of actual behavior, during interval 312 reader 110 talks to tag120 as follows. According to block 352, reader 110 transmits signal 112,which was first described in FIG. 1. At the same time, according toblock 362, tag 120 receives signal 112 and processes it to extract dataand so on. Meanwhile, according to block 372, tag 120 does notbackscatter with its antenna, and according to block 382, reader 110 hasno signal to receive from tag 120.

During interval 326, which may also be referred to as a backscatter timeinterval or backscatter interval, tag 120 talks to reader 110 asfollows. According to block 356, reader 110 transmits a Continuous Wave(CW) signal, which can be thought of as a carrier that typically encodesno information. This CW signal serves both to transfer energy to tag 120for its own internal power needs, and also as a carrier that tag 120 canmodulate with its backscatter. Indeed, during interval 326, according toblock 366, tag 120 does not receive a signal for processing. Instead,according to block 376, tag 120 modulates the CW emitted according toblock 356 so as to generate backscatter signal 126, for example byadjusting its antenna reflectance. Concurrently, according to block 386,reader 110 receives backscatter signal 126 and processes it.

FIG. 4 is a block diagram showing a detail of an RFID IC, such as IC 224in FIG. 2. Electrical circuit 424 in FIG. 4 may be formed in an IC of anRFID tag, such as tag 220 of FIG. 2. Circuit 424 has a number of maincomponents that are described in this document. Circuit 424 may have anumber of additional components from what is shown and described, ordifferent components, depending on the exact implementation.

Circuit 424 shows two IC contacts 432, 433, suitable for coupling toantenna segments such as antenna segments 226/228 of RFID tag 220 ofFIG. 2. When two IC contacts form the signal input from and signalreturn to an antenna they are often referred-to as an antenna port. ICcontacts 432, 433 may be made in any suitable way, such as from metallicpads and so on. In some embodiments circuit 424 uses more than two ICcontacts, especially when tag 220 has more than one antenna port and/ormore than one antenna.

Circuit 424 includes signal-routing section 435 which may include signalwiring, signal-routing busses, receive/transmit switches, and so on thatcan route a signal to the components of circuit 424. In some embodimentsIC contacts 432/433 couple galvanically and/or inductively tosignal-routing section 435. In other embodiments (such as is shown inFIG. 4) circuit 424 includes optional capacitors 436 and/or 438 which,if present, capacitively couple IC contacts 432/433 to signal-routingsection 435. This capacitive coupling causes IC contacts 432/433 to begalvanically decoupled from signal-routing section 435 and other circuitcomponents.

Capacitive coupling (and resultant galvanic decoupling) between ICcontacts 432 and/or 433 and components of circuit 424 is desirable incertain situations. For example, in some RFID tag embodiments ICcontacts 432 and 433 may galvanically connect to terminals of a tuningloop on the tag. In this situation, capacitors 436 and/or 438galvanically decouple IC contact 432 from IC contact 433, therebypreventing the formation of a short circuit between the IC contactsthrough the tuning loop.

Capacitors 436/438 may be implemented within circuit 424 and/or partlyor completely external to circuit 424. For example, a dielectric orinsulating layer on the surface of the IC containing circuit 424 mayserve as the dielectric in capacitor 436 and/or capacitor 438. Asanother example, a dielectric or insulating layer on the surface of atag substrate (e.g., inlay 222 or strap substrate 254) may serve as thedielectric in capacitors 436/438. Metallic or conductive layerspositioned on both sides of the dielectric layer (i.e., between thedielectric layer and the IC and between the dielectric layer and the tagsubstrate) may then serve as terminals of the capacitors 436/438. Theconductive layers may include IC contacts (e.g., IC contacts 432/433),antenna segments (e.g., antenna segments 226/228), or any other suitableconductive layers.

Circuit 424 also includes a rectifier and PMU (Power Management Unit)441 that harvests energy from the RF signal received by antenna segments226/228 to power the circuits of IC 424 during either or bothreader-to-tag (R→T) and tag-to-reader (T→R) sessions. Rectifier and PMU441 may be implemented in any way known in the art, and may include oneor more components configured to convert an alternating-current (AC) ortime-varying signal into a direct-current (DC) or substantiallytime-invariant signal.

Circuit 424 additionally includes a demodulator 442 that demodulates theRF signal received via IC contacts 432, 433. Demodulator 442 may beimplemented in any way known in the art, for example including a slicer,an amplifier, and so on.

Circuit 424 further includes a processing block 444 that receives theoutput from demodulator 442 and performs operations such as commanddecoding, memory interfacing, and so on. In addition, processing block444 may generate an output signal for transmission. Processing block 444may be implemented in any way known in the art, for example bycombinations of one or more of a processor, memory, decoder, encoder,and so on.

Circuit 424 additionally includes a modulator 446 that modulates anoutput signal generated by processing block 444. The modulated signal istransmitted by driving IC contacts 432, 433, and therefore driving theload presented by the coupled antenna segment or segments. Modulator 446may be implemented in any way known in the art, for example including aswitch, driver, amplifier, and so on.

In one embodiment, demodulator 442 and modulator 446 may be combined ina single transceiver circuit. In another embodiment modulator 446 maymodulate a signal using backscatter. In another embodiment modulator 446may include an active transmitter. In yet other embodiments demodulator442 and modulator 446 may be part of processing block 444.

Circuit 424 additionally includes a memory 450 to store data 452. Atleast a portion of memory 450 is preferably implemented as a nonvolatilememory (NVM), which means that data 452 is retained even when circuit424 does not have power, as is frequently the case for a passive RFIDtag.

In some embodiments, particularly in those with more than one antennaport, circuit 424 may contain multiple demodulators, rectifiers, PMUs,modulators, processing blocks, and/or memories.

In terms of processing a signal, circuit 424 operates differently duringa R→T session and a T→R session. The different operations are describedbelow, in this case with circuit 424 representing an IC of an RFID tag.

FIG. 5A shows version 524-A of components of circuit 424 of FIG. 4,further modified to emphasize a signal operation during a R→T sessionduring time interval 312 of FIG. 3. Demodulator 442 demodulates an RFsignal received from IC contacts 432, 433. The demodulated signal isprovided to processing block 444 as C_IN. In one embodiment, C_IN mayinclude a received stream of symbols.

Version 524-A shows as relatively obscured those components that do notplay a part in processing a signal during a R→T session. Rectifier andPMU 441 may be active, such as for converting RF power. Modulator 446generally does not transmit during a R→T session, and typically does notinteract with the received RF signal significantly, either becauseswitching action in section 435 of FIG. 4 decouples modulator 446 fromthe RF signal, or by designing modulator 446 to have a suitableimpedance, and so on.

Although modulator 446 is typically inactive during a R→T session, itneed not be so. For example, during a R→T session modulator 446 could beadjusting its own parameters for operation in a future session, and soon.

FIG. 5B shows version 524-B of components of circuit 424 of FIG. 4,further modified to emphasize a signal operation during a T→R sessionduring time interval 326 of FIG. 3. Processing block 444 outputs asignal C_OUT. In one embodiment, C_OUT may include a stream of symbolsfor transmission. Modulator 446 then modulates C_OUT and provides it toantenna segments such as segments 226/228 of RFID tag 220 via ICcontacts 432, 433.

Version 524-B shows as relatively obscured those components that do notplay a part in processing a signal during a T→R session. Rectifier andPMU 441 may be active, such as for converting RF power. Demodulator 442generally does not receive during a T→R session, and typically does notinteract with the transmitted RF signal significantly, either becauseswitching action in section 435 of FIG. 4 decouples demodulator 442 fromthe RF signal, or by designing demodulator 442 to have a suitableimpedance, and so on.

Although demodulator 442 is typically inactive during a T→R session, itneed not be so. For example, during a T→R session demodulator 442 couldbe adjusting its own parameters for operation in a future session, andso on.

In typical embodiments, demodulator 442 and modulator 446 are operableto demodulate and modulate signals according to a protocol, such as theGen2 Specification mentioned above. In embodiments where circuit 424includes multiple demodulators and/or modulators, each may be configuredto support different protocols or different sets of protocols. Aprotocol specifies, in part, symbol encodings, and may include a set ofmodulations, rates, timings, or any other parameter associated with datacommunications. In addition, a protocol can be a variant of a statedspecification such as the Gen2 Specification, for example includingfewer or additional commands than the stated specification calls for,and so on. In such instances, additional commands are sometimes calledcustom commands.

FIG. 6 illustrates how a tag can be switched between public and privatestates and back again, according to embodiments.

Normal RFID inventory operations permit a reader to determine, at least,the identity of a tag in its field-of-view unless the readerspecifically and selectively takes action to exclude the tag from theinventorying. This ubiquitous inventory capability has the benefit ofallowing a reader to identify all tags in its field of view, but has thedisadvantage of permitting anyone to scan a tagged item and then locateit again later, raising privacy concerns and potentially providinguseful information to thieves.

The mechanism by which a reader selectively inventories one or more tagswhile excluding other tags from the inventorying is called “selection”.A reader selects one or more tags for inventorying while deselectingothers. A reader may transmit one or more selection command, such as theSelect command of the Gen2 Specification, to select a particular tagpopulation based on user-defined criteria, enabling union (U),intersection (∩), and negation (˜) based tag partitioning. Readersperform ∩ and U operations by issuing successive selection commands. Aselection command can assert or deassert a tag's SL flag, or it can seta tag's session flag to either A or B in any one of four sessions asdiscussed in more detail below (FIG. 9 and FIG. 10 and associateddescription). A reader may then issue an inventorying command, such asthe Query command of the Gen2 Specification, to perform an inventoryoperation. The inventorying command may specify a session and a sessionflag value (A or B) in that session; it may also use the SL flag.Readers may inventory SL or ˜SL tags, or they may choose to not use theSL flag at all. The tag replying to the inventorying command with anactual identifier is said to be “inventoried”.

As mentioned previously, embodiments are directed to RFID tags and tagchips with the ability to transition between states (i.e. public andprivate states) and to adjust their responses to readers depending ontheir state and their flag value(s). In certain states a tag will notrespond to a reader or will not provide an actual identifier to thereader unless the reader has first provided information indicating thatthe reader is authorized to interact with the tag(s). In someembodiments the reader provides this information using a selectioncommand.

As shown in diagram 600, a tag according to some embodiments may becapable of being in one of two states: a public state 614 and a privatestate 618. In public state 614 the tag may act more carefully because itis in “public” and so it may restrict the information it provides to areader or may not respond at all until the reader has proven itself tobe an authorized reader. A reader may prove that it is authorized by,for example, proving that it knows some information about the tag, orproving that it is a reader that the tag knows is authorized. A readerthat is authorized is referred to herein as a “verified” reader, provingthat a reader is authorized is referred to herein as “verifying” thereader, and information used for verifying a reader may be referred toherein as “verification information” or “verification data”. In somecircumstances the tag may reply with a partial or scrambled identifieruntil the reader verifies itself, after which the tag will provide anactual identifier. The actual identifier is a quantity that identifiesthe tag, the item to which the tag is attached, or the holder of thetag. Actual identifiers can be a numeric or alphanumeric EPC, TID,password, code, secret, memory content, or similar.

In private state 618, the tag may act less carefully, because it is in aprivate location where a rogue reader is not expected to be operating.In this case the tag may operate “normally” and participate in inventoryrounds without restriction, providing the information requested by thereader such as its actual identifier, or any other information stored intag memory.

The tag may transition between public state 614 and private state 618and back again in response to privatize command(s) 616 and publicizecommand(s) 612, respectively, received from a reader. The privatizecommand(s) 616 and publicize command(s) 612 may be custom commands,custom selection commands, a write command writing data into a tagmemory location, or any other command suitable for causing a tag totransition between public state 614 and private state 618. In someembodiments the privatize command and the publicize command are one andthe same, in which case the single command may include one or morefields that instruct the tag to privatize itself or publicize itself.Regardless of whether the privatize and publicize commands are combinedor separate, they may contain additional information such asverification information, other information known to the tag, and/or anindicator for which public state the tag should choose from a pluralityof public states, and may cause the tag to perform other operations aswell. According to some embodiments the tag may transition states inresponse to a reader command only if the reader has first proven itselfto be authorized, such as by providing valid verification information orverifying itself via a cryptographic exchange.

FIG. 7 illustrates how a tag can be switched from a private state to oneof a plurality of public states and back again according to embodiments.

As shown in diagram 700, a tag may have access to more than one publicstate. The different public states may alter the information a tagprovides to a reader, as well as alter how the tag operates. Forexample, for an unauthorized reader a tag may remain silent in a firstpublic state, provide a random or scrambled or encrypted identifier in asecond public state, provide only partial information in a third publicstate, and so on. Once a reader has been verified, the tag may respondto the reader within an inventory round just like any tag that does notimplement the public/private capability. For example, the tag mayprovide full and complete information to a verified reader. However, insome embodiments the verified reader may still have limited access tosome tag memory contents depending on the tag state.

To verify itself to the tag, a reader may send verification informationto the tag that may indicate that the reader “knows’ which tag it isspeaking with. This verification information may be sent in a Selectcommand that precedes an inventory operation, or in an inventoryingcommand sent during the inventory operation. Alternatively, the readermay use a custom command to provide the tag with the verificationinformation. Verification information may include a string, a code, aPIN, a password, a cryptographic quantity such as an electronicsignature (e.g., a digital signature generated using asymmetriccryptography or a message authentication code generated using symmetriccryptography), encrypted data value, or key, or any other informationknown to the tag and used to verify readers. Verification informationmay be stored in a part or all of the EPC memory, a part or all of TIDmemory, a part or all of User memory, or optionally a part of Reservedmemory. Verification information may be unique to the tag or may beshared among multiple tags. In the latter situation, the verificationinformation may be referred to as “group verification information”,“group passwords”, “group PINs”, “group keys”, or similar, because itcan be used to verify an entity or reader to multiple (a “group” of)tags. The tag may have rules about how much verification information itdeems sufficient for a reader to be verified. These rules may be builtinto the tag or defined during tag programming, when the tag isinterrogated by a prior reader, or by any other means.

In some embodiments, a reader may verify itself to the tag based on acryptographic key. For example, the tag may have a tag key, and thereader may verify itself to the tag by proving to the tag that thereader has knowledge of the tag key, such as via a challenge/responseinteraction or electronic signature exchange. In one embodiment, the tagmay send a random value (known as a “salt”), and the reader may encryptor otherwise cryptographically secure the salt with the tag key and sendthe secured salt back to the tag. The tag, upon successfully recoveringthe salt using its tag key, can then verify that the reader knows thetag key. As another example, the tag may have knowledge of keys forauthorized readers, and a reader may verify itself to the tag by provingto the tag that it has knowledge of an authorized reader key.

Diagram 700 illustrates an example set of public states that may be usedby an RFID tag. Private state 718 is similar to private state 618described in FIG. 6, where a tag may freely participate in an inventoryround (regardless of or based on its flags) and provide its identifierand other information to an interrogating reader, regardless of thereader verification status. In public—quiet state 722, the tag may notrespond to an unverified interrogating reader. In public—scrambled state724, the tag may provide a random or scrambled response to an unverifiedinterrogating reader. In public—partial information state 726, the tagmay provide only partial identifying information in response to anunverified interrogating reader.

Transitioning from private state 718 to public states 722, 724, and 726may be caused by respective reader commands 732, 734, and 736.Similarly, transitioning from public states 722, 724, and 726, toprivate state 718 may be in response to respective reader commands 742,744, and 746.

FIG. 8 is a diagram 800 illustrating how a tag physical memory such asthe memory shown in FIG. 4 can be partitioned and organized for data,such as one or more tag identifiers, to be stored into it.

Tag memory 850 may be partitioned logically. The data stored in memorypartitions 804 may include user data in partition 852, an identifier forthe tag itself (for example, a TID) in partition 854, an identifierassociated with an item to which the tag is attached (often anelectronic product code or EPC) in partition 856, and information suchas passwords that are reserved for the tag itself in partition 858. Inother embodiments, memory 850 may be partitioned in other ways withfewer or more partitions, or not partitioned at all. Data may be storedin the memory during tag manufacturing or during an operation byprocessing block 444 of FIG. 4, typically in response to a commandreceived from a reader. Processing block 444 may also access the storedinformation. Verification information known to the tag, as describedherein, may be stored in any suitable partition or region of tag memory850. For example, verification information may be stored in partitions852 and/or 858, and even in partitions 854 and 856 if space permits.

Information stored in memory 850 may be used in tag operations. Forexample, EPC partition 856 can be arranged to store a CRC-16 (cyclicredundancy check) for the item identifier, protocol control (PC)information that identifies parameters of the item identifier, and theitem identifier itself. The tag may provide information stored in itsmemory, such as the item identifier, in response to an inventory commandif the tag state and flag conditions are satisfied as discussed in moredetail below.

FIG. 9 illustrates how tags participate in inventory rounds according tothe Gen2 Specification.

In an RFID system according to Gen2 Specification, a reader performs aninventory round in one of four sessions 902 (session 0 or S0), 904(session 1 or S1), 906 (session 2 or S2), and 908 (session 3 or S3) withassociated session flags. Tags participate in only one session duringthe round. Tags maintain a session flag (S0, S1, S2, and S3) for eachsession. Each of the session flags may have one of two values, A or B.For clarity, we will use the terms “asserted” and “deasserted” todescribe the states of a flag, rather than A or B, regardless of whetherthe flag is a session flag, a selected (SL) flag, or another flag. Notethat the choice of flag polarity is immaterial—assigning A to assertedand B to deasserted is just acceptable as assigning A to deasserted andB to asserted—as long as an RFID system uses the assignment polaritiesconsistently.

At the beginning of each inventory round a reader may choose toinventory either asserted (A) or deasserted (B) tags in one of thesessions. Tags participating in an inventory round in one session do notuse or modify the session flag for a different session. The sessionflags are a resource a tag provides separately and independently to agiven session. The inventorying command that a reader uses to inventorytags may contain a field to specify the session (S0, S1, S2, or S3) aswell as the polarity (asserted or deasserted) that the session flag musthave for the tag to participate in the inventory round.

A tag according to the Gen2 Specification also implements a selectedflag, SL, which a reader may assert or deassert using a selectioncommand such as the Gen2 Select command. A Sel parameter in aninventorying command such as the Gen2 Query command allows the reader toinventory tags that have SL either asserted or deasserted (i.e. SL or˜SL), or to ignore the flag and inventory tags regardless of their SLvalue. SL is not associated with any particular session, may be used inany session, and is common to all sessions.

Thus, a tag according to embodiments may employ one or more flags thatdetermine whether the tag will participate or not participate in aninventory round. The flags may include S0, S1, S2, S3, SL, andoptionally a custom flag. A reader may cause a tag to assert or deassertone or more of the S0, S1, S2, S3, SL, or custom flags using a selectioncommand, a custom command, or a memory write. For example, a tagreceiving a selection command may assert or deassert one of S0, S1, S2,S3, or SL depending on whether the selection command comes from averified reader or if verification data in the selection command matchesor mismatches a memory on the tag.

In one embodiment, the selection command may assert a deasserted flag,or deassert an asserted flag, based on a match or mismatch between thestring sent in the selection command and a value in tag memory. Asdescribed above, when a tag according to embodiments is in the publicstate, the tag may have different rules for the selection command thanwhen the tag is in the private state. For example, in the public statethe tag may enforce a minimum verification data length for matchingwithout which the tag will not modify a flag value; the tag may declineto modify a flag value based on a mismatch, and so on.

According to an example scenario, a reader verifies itself to a tag inthe public state before or while asserting one of the tag flags (say,S1). The reader may verify itself via a cryptographic interaction (forexample, by providing a known value, such as a salt, encrypted or signedwith a key known to the tag) or by proving that it knows someinformation about the tag. For example, the reader may send a commandwith verification data (e.g., a string, code, PIN, key, salt, etc.) thatmatches verification data stored on the tag. The reader therebyindicates that it knows something about the tag, thereby verifying thereader to the tag. In this situation the sent verification data is themechanism by which the tag verifies the reader. This mechanism helpsensure that the reader is not a rogue by the reader proving that italready knows something about the tag. If the tag determines that thereader is verified, it asserts the S1 flag. The reader then queries(e.g., sends an inventorying command to) tags with an asserted S1 flag,and the tag responds with its actual identifier. Absent the flag beingasserted, the tag would not normally respond.

In some embodiments, the tag enforces a minimum matching bit length orthreshold for the sent verification data and the verification datastored on the tag. If the sent verification data is not at least theminimum bit length, or if the sent verification data does not match thestored verification data for at least the minimum bit length, then thetag may consider the reader unverified. The minimum bit length may be interms of consecutive bits—for example, sent verification data containinga sequence of consecutive bits that both satisfies (e.g., meets orexceeds) the minimum bit length and matches the stored verification datamay be sufficient to verify the reader. In general, the more bits thetag requires in the sent verification data the less likely a roguereader can guess the verification data. In some embodiments, there maybe multiple minimum matching bit lengths, with different authorizationsand permissions associated with each bit length. For example, a readerthat provides a shorter length of matching verification data may be“less verified” than a reader that provides a longer length of matchingverification data, and “less verified” readers may be granted fewerprivileges or less access with respect to a tag than readers thatprovide more verification data. Such privileges and access may includeaccessible identifier length, accessible data length, accessible tagmemory portions, access to coupled devices or components, access to tagfeatures or functionality, verification time durations or timeouts,memory write privileges, read ranges, or any other privilege or accessassociated with a tag.

In some embodiments, a tag enforces additional security conditionsbefore determining that a reader is verified. For example, in order toprevent a reader from simply bombarding the tag with differentverification data until the tag receives suitable verification data, thetag may consider a reader verified only if the reader sends correctverification data without having immediately prior sent one or moreother, incorrect pieces of verification data. The tag may determinewhether a previous piece of verification data was received “immediatelyprior” to a correct piece of verification data based on elapsed time,whether another command such as an inventorying command was receivedbetween the previous piece of verification data and the correct piece ofverification data, or any other suitable method. In one embodiment, atag that receives an incorrect piece of verification data from a readermay invoke a timeout, and may not respond to verification requests orother commands from the reader or any other reader until expiration ofthe timeout. In some embodiments, a tag that receives an incorrect pieceof verification data from a previously verified reader may revoke theverification of the reader and subsequently consider the readerunverified until the reader has again verified itself to the tag.

Another security condition that a tag may enforce is physical proximity.For example, a tag may consider a reader verified if the reader sendscorrect verification data, the reader is in close physical proximity,and all other security conditions have been met. The tag may determinewhether the reader is in close physical proximity based on the power ofa received reader command, whether the reader command was received on atag antenna configured to only receive close-range signals, or using anyother means to determine reader proximity.

To enhance security, a tag whose flag was asserted by a verified readeris not desired to later respond to another, unverified reader.Consequently, the tag may deassert its flag after it has finished itsdialog with the reader. In some embodiments the verified reader mayreset the flag to its deasserted value when the reader has concluded itsdialog with the tag. In other embodiments the tag flags may beconstructed to decay, after a period of time, to the deasserted state.This decay ensures that a tag whose flag was asserted may, after thedecay time, be no longer responsive to a reader unless the reader againverifies itself and reasserts the flag. In this latter fashion the tagcan be made to be fail-safe, such that if a reader forgets to deassertthe flag the tag may itself deassert the flag after a decay time. Insome embodiments, a tag that receives an incorrect piece of verificationdata from a previously verified reader may also deassert the flag inaddition to revoking the verification of the reader.

FIG. 10A through 10D illustrate example tag behaviors based on flagvalues and tag states according to various embodiments.

As shown in diagram 1000 of FIG. 10A, a tag may have a plurality offlags 1002 including a bank of session flags 1001, SL flag 1003, and anoptional custom flag (CF) 1005. One or more of these flags may beasserted or deasserted as discussed above. The tag will also have astate 1004, which according to embodiments can be public or private. Theflag values 1002 and the tag state 1004 determine a behavior of the tagin its interactions with a reader.

In an inventory round, a reader may send an inventorying command to thetag specifying one of S0, S1, S2, S3, and for this one flag the readerspecifies whether it wants tags with flag values of A or B (asserted ordeasserted) to respond. The reader may also specify SL, ˜SL, or don'tcare for the SL flag. Custom flags may be employed in a manner similaror different from the above-described behavior. When in the privatestate 1014, the tag may respond according to Gen2 Specification (i.e.participate in the round if its flag value matches the inventoryingcommand).

FIG. 10A illustrates example tag behavior in private state 1014. Instate 1014 a tag behaves in one of four ways (1006): (1) if a particularflag is asserted and a reader queries tags with that flag asserted thenthe tag responds with its actual identifier; (2) if a particular flag isdeasserted and a reader queries tags with that flag deasserted then thetag responds with its actual identifier; (3) if a reader queries tagsirrespective of a flag value then the tag responds with its actualidentifier, or (4) regardless of the foregoing, if any of the flagsspecified in the inventorying command are mismatched from the actual tagvalues then the tag will not respond. Of course, a combination of thesession flags 1001, SL flag 1003, and or the custom flag 1003 may bespecified and used in determining whether the tag participates in aninventory round.

FIG. 10B through 10D illustrate example tag behavior in public state1018, where one or more of the flags (bolded), chosen by the reader viaits inventorying command, are used in conjunction with the public tagstate as a “security gate” to determine the tag behavior for theinventory round. When in public state 1018 the tag may behave in one ofthe following three ways: (1) if a flag is asserted and the readerqueries tags with that flag asserted then the tag responds with itsactual identifier; (2) if a flag is deasserted and the reader queriestags with that flag deasserted and the inventorying command does notalso specify a matching asserted flag then the tag may remain silent ormay respond with scrambled, partial, or random (such as an RN16 of theGen2 Specification) information; and (3) regardless of the foregoing, ifany of the flags specified in the inventorying command are mismatchedfrom the actual tag values then the tag will not respond. In the presentexample, to maintain the “security gate”, if the reader queries tagswith more than one flag specified in the inventorying command then atleast one of these flags must be asserted in the inventorying commandand likewise asserted on the tag in order for the tag to respond withits actual identifier.

In the example scenario of diagram 1020 of FIG. 10B, session flag S1 oftag flags 1022 is asserted and tag state 1024 is public state 1018. Thetag responds with its actual identifier only if the inventorying commandspecifies an asserted S1 flag.

In the example scenario of diagram 1040 of FIG. 10C, session flag S3 andselected flag SL of tag flags 1042 are asserted and tag state 1044 ispublic state 1018. The tag responds with its actual identifier only ifthe inventorying command specifies asserted S3 and SL flags.

In the example scenario of diagram 1060 of FIG. 10D, selected flag SL oftag flags 1062 is asserted and tag state 1064 is public state 1018. Thetag responds with its actual identifier only if the inventorying commandspecifies an asserted SL flag.

FIG. 11 illustrates how tag state and select flag value result in tagparticipation or non-participation in inventory rounds according to anexample embodiment.

Diagram 1100 is a detailed illustration of the example scenario of FIG.10D. According to a first example, when a tag is in private state 1114it may participate in inventory rounds and responds with its actualidentifier based on or regardless of the value of its select flag 1103as indicate by reference numeral 1115. If a reader queries tags with anasserted or deasserted select flag, the tag may participate if and onlyif its actual select flag value matches that specified in theinventorying command. If the reader queries tags without specifying aselect-flag value then the tag may respond regardless of its actualselect-flag value.

The second example assumes that none of the S0, S1, S2, S3, or CF flagsare asserted and acting as a “security gate” for the tag. According tothis second example, when a tag is in public state 1118 and its selectflag is deasserted (i.e. “0”) it is either prevented from participatingin an inventory round or prevented from participating with its actualidentifier, as indicated by reference numeral 1117. If a reader queriestags with deasserted select flags then the tag will either not respondor will respond with partial or scrambled information. If the readerqueries tags with asserted select flags the tag will not respond.

According to a third example, which also assumes that none of the S0,S1, S2, S3, or CF flags are asserted and acting as a “security gate” forthe tag, when a tag is in public state 1118 and its select flag isasserted (i.e. “1”) it may participate in an inventory round, asindicated by reference numeral 1119. If a reader queries tags withasserted select flags then the tag may respond with its actualidentifier.

Whereas a conventional tag participates in an inventory round if areader queries tags with matching flags, a tag according to the presentinvention exhibits state-dependent behavior. When in the private state,it participates according to the rules of a conventional tag. When inthe public state, it participates only if a reader first asserts a flag,and it enforces conditions on the reader attempting to perform theasserting. Specifically, the tag requires that the reader verify itself,either by proving knowledge of a cryptographic key known to the tag orby providing verification data that the tag can use to verify thereader. A rogue reader will not be able to verify itself and will eitherbe unaware that the tag is present, or will receive scrambled or randominformation so as to make the tag unrecognizable and untraceable,thereby protecting the privacy of the tag owner.

Diagram 1200 of FIG. 12 illustrates example tag states and tag-readerinteractions according to some embodiments.

According to the first example scenario 1240, tag 1230 is in a privatestate and participates in inventory rounds providing its actualidentifier (e.g. actual EPC, actual TID, or other memory contents) toreader 1210 if its flag values match those specified in an inventoryingcommand issued by the reader. Otherwise the tag remains silent.

According to the second example scenario 1242, tag 1232 is in a quietpublic state in which the tag participates in an inventory round andprovides an actual identifier only if one or more of its flags areasserted and its flag values match those specified in an inventoryingcommand issued by the reader. Otherwise the tag remains silent.

According to the third example scenario 1244, tag 1234 is in a scrambledpublic state in which the tag participates in an inventory round andprovides an actual identifier only if one or more of its flags areasserted and its flag values match those specified in an inventoryingcommand issued by the reader. If the tag flags are asserted but theinventorying command specifies these same flags deasserted then the tagdoes not respond. If the tag flags are deasserted and the inventoryingcommand specifies these same flags deasserted then the tag replies withscrambled, random, encrypted, or otherwise garbled information.

According to the fourth example scenario 1246, tag 1236 is in apartial-information public state, in which the tag participates in aninventory round and provides an actual identifier only if one or more ofits flags are asserted and its flag values match those specified in aninventorying command issued by the reader. If the tag flags are assertedbut the inventorying command specifies these same flags deasserted thenthe tag does not respond. If the tag flags are deasserted and theinventorying command specifies these same flags deasserted then the tagreplies with partial information.

The verification data known to the tag and used to verify readers may bestored on the tag in any suitable fashion. In one embodiment, theverification data may be written on the tag during RFID IC or tagmanufacture. In some embodiments, the verification data may be writtenon the tag by a subsequent user or owner of the tag. The verificationdata, once written to tag memory, may be rewritable or not. For example,the verification data may be written to a memory or memory location thatpermits overwriting. In this case, the verification data may be changedlater. As another example, the verification data may be written to aone-time-programmable memory that cannot be physically overwritten orchanged without damaging the memory or the IC. In this case, theverification data, once written, cannot be changed later. The writtenverification data may be externally readable (e.g., readable by areader) or not (e.g., only readable by the tag). The latter may bepreferable for privacy concerns and to prevent unauthorized readers frominadvertently or maliciously reading the verification data.

An RFID tag may store one or more pieces of verification data, some ofwhich can be overwritten and some of which cannot. For example, firstverification data may be permanently written to an RFID IC or tag duringmanufacture, such that the first verification data cannot besubsequently overwritten or changed. The first verification data may beused to verify readers or entities. Subsequently, a verified reader orentity (e.g., a reader or entity with knowledge of the firstverification data) may be able to write second verification data to theRFID IC or tag. The second verification data may be mutable, such that asuitable verified reader or entity (e.g., a reader or entity withknowledge of the first and/or second verification data) can subsequentlychange the second verification data.

When an entity legitimately acquires an RFID tag or its associated item,the acquiring entity (“acquirer”) may be provided with some or all ofthe verification data stored on the tag. For example, if only firstverification data as described above are stored on the tag, then theacquirer may be provided with the first verification data. If first andsecond verification data as described above are stored on the tag, thenthe acquirer may be provided with the first and/or the secondverification data.

If only first verification data as described above are stored on thetag, then in some embodiments an acquirer may not be provided with thefirst verification data, but rather with a means to store secondverification data on the tag without explicit knowledge of the firstverification data. For example, the acquirer may be able to store secondverification data on the tag through a remote service. In this example,the acquirer, upon verifying its identity to the service, provides anidentifier for the tag and optionally the second verification data tothe service. The service knows the first verification data stored on thetag and uses the first verification data to generate a message thatallows the tag to accept the second verification data. The message mayinclude the second verification data, or may instruct the tag to acceptdata accompanying the message as second verification data. In someembodiments, the message may be encrypted or otherwise obfuscated basedon at least the first verification data, such that the acquirer cannotderive the first verification data from the message. The service theneither sends the message directly to the tag if possible, or sends themessage to the acquirer, and the acquirer can provide the message to thetag to store the second verification data on the tag.

In some embodiments, an acquirer may write updated verification data toa tag, to replace or augment first and/or second verification dataalready on the tag. For example, if a customer receives first or secondverification data for a tag upon purchasing the item associated with thetag, the customer may use the received verification data to authorizethe writing of updated verification data to the tag. The updatedverification data may be an acquirer-generated password, anacquirer-generated PIN, an acquirer cryptographic key, or any other datathe acquirer wishes to use for restricting access to the tag. In someembodiments, the acquirer may have a number of tagged items, and may usethe same updated verification data as “group verification information”for multiple or all of the tagged items, to facilitate inventorying.

The updated verification data may be written onto the tag in addition toany preexisting verification data, or may overwrite some or all of anypreexisting verification data. For example, if the tag already storesfirst and second verification data, the updated verification data mayoverwrite the first, the second, or both verification data. In someembodiments, some of the preexisting verification data may be permanentand cannot be subsequently overwritten or changed, as described above.This provides a mechanism for another entity, such as an IC or tagmanufacturer or a retailer, to reset the tag, for example in the case ofa returned item.

The acquirer may then use the received or updated verification data toprevent unauthorized readers from retrieving information from the tag.For example, an owner of an item with an RFID tag may allow only readersassociated with the owner to inventory the tag. The owner may either usethe received verification data to publicize the tag or first writeupdated verification data to the tag and then use the updatedverification data to publicize the tag. Subsequently, only readersassociated with or belonging to the owner and presumably knowing thereceived or updated verification data can retrieve information from thetag.

As an example, a customer that has purchased an item associated with anRFID tag from a retailer may not want unauthorized readers to retrieveinformation from the tag, but may also want to be able to return theitem to the retailer. In this situation, the retailer, who has knowledgeof first verification data stored on the tag, may generate secondverification data based on, for example, information associated with thetransaction. The retailer may then write the second verification data tothe tag, optionally provide the second verification data to the customer(e.g., on a receipt), and publicize the tag to require receiving thesecond verification data (or the first verification data) beforeparticipating in future inventories. A rogue reader will not know thefirst or second verification data and will not be able to inventory thetag. In some embodiments, the retailer ensures that either the first orsecond verification data cannot be overwritten or changed, therebyallowing the retailer to access or privatize the tag even if thecustomer adds updated verification data to the tag. A returns desk atthe retailer will know the first, second, and/or updated verificationdata, from the receipt, from information provided by the customer,and/or from information stored at the retailer, and will be able to usethe first, second, and/or updated verification data to inventory the tagas described above, accept the return, and privatize the tag inpreparation for a future sale.

In some embodiments, verification data may include a dynamic component.For example, the verification data stored on a tag may include or bebased on one or more data values that change as a function of time, tagstate, or events. In one embodiment, the tag may implement a counterthat counts the number of successful or unsuccessful verificationattempts made by one or more readers, and the verification data mayinclude the counter value. In other embodiments, the tag may implement acounter that counts any other relevant event, and the verification datamay include the counter value.

The techniques described herein may be applicable to situations otherthan the retail example above. For example, tagged items in a shippingcontainer may be placed in a quiet public state in order to reduce thenumber of tags responding to an inventorying command. In this example,the shipping container may have a container or manifest tag. Thecontainer tag may list the tags in the container and may also eitherstore or provide access (for example, via a network server or service)to group verification data for the tagged items in the container. Thecontainer tag may allow any reader or entity, or only authorized readersor entities, to access the group verification data. A reader capable ofreading the container tag and retrieving the group verification data maythen use the group verification data to inventory the tagged items inthe container, as described above, to check that tagged items expectedto be in the container are actually in the container.

As another example, individual components of a larger device or systemmay be tagged for tracking. Upon assembly into the device or system, thecomponent tags may be placed into a quiet public state, again to reducethe number of tags responding to an inventorying command or to hide thetags from unauthorized readers or entities. The device or system mayhave an associated tag that allows an authorized reader or entity toretrieve group verification data, either from the tag or via a network,that in turn allows the reader or entity to inventory the individualcomponent tags.

The states, flags, commands, choice of values (asserted versusdeasserted) and configurations described above are for illustrationpurposes only and do not constitute a limitation on embodiments.Additional states, flags, commands, and configurations may be used todefine tag behavior using the principles described herein.

Embodiments also include methods. Some are methods of operation of anRFID tag or an RFID tag chip. These methods can be implemented in anynumber of ways, including the structures described in this document. Onesuch way is by machine operations, of devices of the type described inthis document.

Another optional way of implementing these methods is for one or more ofthe individual operations of the methods to be performed in conjunctionwith one or more human operators performing some of them. Theseoperators need not be collocated with each other, but each can be with amachine that performs a portion of a program or operation.

FIG. 13 is a flowchart for a process of an RFID tag transitioning from aprivate to a public state, or vice versa, according to embodiments.

Process 1300 begins with one of alternative operations 1310 and 1320,where a tag receives either a standard or custom command, or a writecommand that writes directly to a portion of tag memory. A tag willtypically have already been inventoried and uniquely identified by areader prior to receiving one of these commands, but uniqueidentification is not strictly necessary.

At optional operation 1330, the tag may employ a protective action toprevent rogue readers from improperly causing the tag to change state.For example, the tag may require receiving a password, security code, orother verification data. In some embodiments, the tag may change stateonly upon receiving a command from a verified reader. Other securitymeasures may include only performing one of the aforementioned commandswhen the reader is in close proximity to the tag, or is in directphysical contact with the tag, or any of a variety of security measuresas is well known to those skilled in the art.

At operation 1340, the tag executes the aforementioned command andtransitions from a private state to a public state or from a publicstate to a private state.

FIG. 14 is a flowchart for a process of an RFID tag asserting ordeasserting a flag or flag(s) in response to a selection (or custom)command after verifying that the command is based on valid verificationdata, according to embodiments. In some embodiments, the verificationdata may be stored in part or all of Reserved memory, EPC memory, TIDmemory, and/or user memory as in FIG. 8.

Process 1400 begins with operation 1410, where the tag receives aselection command, a custom selection command, or another custom commandattempting to modify one or more of the tag's flags. As a securitymeasure the command may be based on verification data known to the tag,such as a string, password, PIN, salt, or key. The tag then determineswhether the command is correctly based on the verification data, forexample by comparing the command to a stored memory content. If so, thetag then verifies that the reader “knows” the tag. The received commandtypically includes other information such as a memory-bank indicator, amemory-address pointer, a string length, an error-check code, and othersuch data, although these latter items are not strictly necessary.

At decision operation 1420, the tag makes a decision as to whether thereceived command is correctly based on known verification data, and ifso, the tag may assert or deassert the specified flag(s) at operation1430. In some embodiments, the tag may enforce state-dependent rules onverification data length as described above, for example allowing a1-bit piece of verification data to verify a reader in the private statewhere the environment is often secure, and longer verification data toverify a reader when the tag is in the public state. If the verificationdata does not correspond to the verification data stored in tag memorythen the tag will not modify the specified flag(s), and may even takefurther protective action such as increasing the verification datalength required to verify the reader.

FIG. 15 is a flowchart for a process of an RFID tag behavior during aninventory round based on tag flag(s) and tag state according toembodiments.

Process 1500 begins with operation 1510, where the tag receives aninventorying command from a reader specifying one or more flags andtheir associated values. At decision operation 1520, the tag determineswhether it is in a private or a public state.

If the tag is in a private state then it may participate in an inventoryround at operation 1530 and provide the requested information, such asits actual identifier, to the reader. As described above, the tagdecides whether to participate in the inventory round based on whetherits flag value(s) match those specified in the inventorying command. Ifthey match then the tag participates. If they do not match then the tagdoes not participate and remains silent.

If the tag is in a public state then the tag determines at decisionoperation 1540 whether the inventorying command contains assertedflag(s). If the inventorying command contains asserted flags then thetag transitions to operation 1530 and may participate in an inventoryround and provide the requested information, such as its actualidentifier, to the reader. As described above, the tag decides whetherto participate based on whether its flag value(s) match those specifiedin the inventorying command. If they match then the tag participates. Ifthey don't match then the tag does not participate and remains silent.

If, at decision operation 1540 the tag determines that the inventoryingcommand does not contain asserted flag(s) then the tag transitions todecision operation 1550, where the tag determines if the flag(s)specified in the inventorying command command match those on the tag. Inthe event of a match, the tag transitions to operation 1570 and eitherremains silent, provides scrambled information, or provides partialinformation depending on the tag type and its public-state type, asdescribed in conjunction with diagram 1200 of FIG. 12. In the event of amismatch the tag transitions to operation 1560 and remains silent.

The operations described in processes 1300-1500 are for illustrationpurposes only. A tag according to embodiments may transition betweenprivate and public states in different manners or by different paths,assert or deassert flag(s) by different means, make differentdeterminations as to how to respond as a function of state and flagmatching/mismatching, and respond to queries from a reader in other waysemploying additional or fewer operations and in different orders usingthe principles described herein.

According to one example, a method for an RFID integrated circuit (IC)configurable to operate in a private state and in a public state, and totransition at least from the private state to the public state, todetermine whether to respond to an inventorying command to a reader, isprovided. The method may include, when the IC is in the private state,receiving the inventorying command and responding to the inventoryingcommand regardless of whether the reader is verified or unverified. Themethod may further include, when the IC is in the public state,receiving the inventorying command and responding to the inventoryingcommand if the reader is verified, else not responding to theinventorying command.

According to some embodiments, the method further includes receiving apersonal identification number (PIN) from the reader and determiningthat the reader is verified if the PIN is valid. The PIN may be a groupPIN including a shared string and/or a group password, or an individualPIN including an IC password and/or an IC salt. The method may furtherinclude determining that the received PIN is valid if the received PINmatches a stored PIN and another PIN was not received prior to thereceived PIN without receiving an intervening inventorying command. Ifthe reader is not verified, the method may further include invoking atimeout and/or revoking a verification of the reader. When the IC is ineither the private or public states and the reader is verified, themethod may include receiving the PIN from the reader and storing the PINin a memory of the IC and/or receiving an updated PIN from the readerand storing the updated PIN in the memory. When the IC is in either theprivate or public states, the method may further include receiving acommand from the reader to transition to the other of the private orpublic states, determining whether the reader is verified, andtransitioning to the other of the private or public states if the readeris verified.

According to another example, a method for an RFID IC configurable tooperate in a private state and in a public state, and to transition atleast from the private state to the public state, to determine whetherto provide an identifier to a reader, is provided. The method mayinclude, when the IC is in the private state, receiving a request forthe identifier from the reader and providing the identifier regardlessof whether the reader is verified or unverified. The method may furtherinclude, when the IC is in the public state, receiving the request forthe identifier from the reader and providing the identifier if thereader is verified, else not providing the identifier.

According to some embodiments, the method further includes receiving apersonal identification number (PIN) from the reader and determiningthat the reader is verified if the PIN is valid. The PIN may be a groupPIN including a shared string and/or a group password, or an individualPIN including an IC password and/or an IC salt. The method may furtherinclude determining that the received PIN is valid if the received PINmatches a stored PIN and another PIN was not received prior to thereceived PIN without receiving an intervening inventorying command. Ifthe reader is not verified, the method may further include invoking atimeout and/or revoking a verification of the reader. When the IC is ineither the private or public states and the reader is verified, themethod may include receiving the PIN from the reader and storing the PINin a memory of the IC and/or receiving an updated PIN from the readerand storing the updated PIN in the memory. When the IC is in either theprivate or public states, the method may further include receiving acommand from the reader to transition to the other of the private orpublic states, determining whether the reader is verified, andtransitioning to the other of the private or public states if the readeris verified.

According to a further example, an RFID IC configured to operate in aprivate state and in a public state, and to transition at least from theprivate state to the public state, is provided. The IC may include atransceiver configured to exchange radio frequency (RF) signals with areader and a processor coupled to the transceiver. The processor may beconfigured to, when the IC is operating in the private state, receivingan inventorying command from the reader via the transceiver and respondto the inventorying command via the transceiver regardless of whetherthe reader is verified or unverified. The processor may be furtherconfigured to, when the IC is operating in the public state, receive theinventorying command from the reader via the transceiver, receive a codevia the transceiver prior to receiving the inventorying command orincluded in the inventorying command, determined whether the receivedcode is valid, and consider the reader verified and respond to theinventorying command if the received code is valid else not respond tothe inventorying command.

According to some embodiments, the code may be a group PIN including ashared string and/or a group password, or an individual PIN including anIC password and/or an IC salt. The IC may further include a memorycoupled to the processor, and the processor may be configured todetermine that the received PIN is valid if the received code matches astored code in the memory and another code was not received prior to thereceived code without receiving an intervening inventorying command. Ifthe reader is not verified, the processor may be configured to invoke atimeout and/or revoke a verification of the reader. When the IC is ineither the private or public states and the reader is verified, theprocessor may be further configured to receive the code from the readerand store the code in the memory or receive an updated code from thereader and store the updated code in the memory. When the IC is in theprivate or public state, the processor may be further configured toreceive a command from the reader to transition to the other of theprivate or public states, determine whether the reader is verified, andtransition to the other of the private or public states if the reader isverified.

The foregoing detailed description has set forth various embodiments ofthe devices and/or processes via the use of block diagrams and/orexamples. Insofar as such block diagrams and/or examples contain one ormore functions and/or aspects, it will be understood by those within theart that each function and/or aspect within such block diagrams orexamples may be implemented (such as by tags according to embodimentsformed) individually and/or collectively, by a wide range of hardware,software, firmware, or virtually any combination thereof. Those skilledin the art will recognize that some aspects of the RFID tag embodimentsdisclosed herein, in whole or in part, may be equivalently implementedemploying integrated circuits, as one or more computer programs runningon one or more computers (e.g., as one or more programs running on oneor more computer systems), as one or more programs running on one ormore processors (e.g. as one or more programs running on one or moremicroprocessors), as firmware, or as virtually any combination thereof,and that designing the circuitry and/or writing the code for thesoftware and or firmware would be well within the skill of one of skillin the art in light of this disclosure.

The present disclosure is not to be limited in terms of the particularembodiments described in this application, which are intended asillustrations of various aspects. Many modifications and variations canbe made without departing from its spirit and scope, as will be apparentto those skilled in the art. Functionally equivalent methods andapparatuses within the scope of the disclosure, in addition to thoseenumerated herein, will be apparent to those skilled in the art from theforegoing descriptions. Such modifications and variations are intendedto fall within the scope of the appended claims. The present disclosureis to be limited only by the terms of the appended claims, along withthe full scope of equivalents to which such claims are entitled. It isto be understood that this disclosure is not limited to particularmethods, configurations, tags, readers, and the like, which can, ofcourse, vary. It is also to be understood that the terminology usedherein is for the purpose of describing particular embodiments only, andis not intended to be limiting.

With respect to the use of substantially any plural and/or singularterms herein, those having skill in the art can translate from theplural to the singular and/or from the singular to the plural as isappropriate to the context and/or application. The varioussingular/plural permutations may be expressly set forth herein for sakeof clarity.

It will be understood by those within the art that, in general, termsused herein, and especially in the appended claims (e.g., bodies of theappended claims) are generally intended as “open” terms (e.g., the term“including” should be interpreted as “including but not limited to,” theterm “having” should be interpreted as “having at least,” the term“includes” should be interpreted as “includes but is not limited to,”etc.). It will be further understood by those within the art that if aspecific number of an introduced claim recitation is intended, such anintent will be explicitly recited in the claim, and in the absence ofsuch recitation no such intent is present. For example, as an aid tounderstanding, the following appended claims may contain usage of theintroductory phrases “at least one” and “one or more” to introduce claimrecitations. However, the use of such phrases should not be construed toimply that the introduction of a claim recitation by the indefinitearticles “a” or “an” limits any particular claim containing suchintroduced claim recitation to embodiments containing only one suchrecitation, even when the same claim includes the introductory phrases“one or more” or “at least one” and indefinite articles such as “a” or“an” (e.g., “a” and/or “an” should be interpreted to mean “at least one”or “one or more”); the same holds true for the use of definite articlesused to introduce claim recitations. In addition, even if a specificnumber of an introduced claim recitation is explicitly recited, thoseskilled in the art will recognize that such recitation should beinterpreted to mean at least the recited number (e.g., the barerecitation of “two recitations,” without other modifiers, means at leasttwo recitations, or two or more recitations).

Furthermore, in those instances where a convention analogous to “atleast one of A, B, and C, etc.” is used, in general such a constructionis intended in the sense one having skill in the art would understandthe convention (e.g., “a system having at least one of A, B, and C”would include but not be limited to systems that have A alone, B alone,C alone, A and B together, A and C together, B and C together, and/or A,B, and C together, etc.). In those instances where a conventionanalogous to “at least one of A, B, or C, etc.” is used, in general sucha construction is intended in the sense one having skill in the artwould understand the convention (e.g., “a system having at least one ofA, B, or C” would include but not be limited to systems that have Aalone, B alone, C alone, A and B together, A and C together, B and Ctogether, and/or A, B, and C together, etc.). It will be furtherunderstood by those within the art that virtually any disjunctive wordand/or phrase presenting two or more alternative terms, whether in thedescription, claims, or drawings, should be understood to contemplatethe possibilities of including one of the terms, either of the terms, orboth terms. For example, the phrase “A or B” will be understood toinclude the possibilities of “A” or “B” or “A and B.”

As will be understood by one skilled in the art, for any and allpurposes, such as in terms of providing a written description, allranges disclosed herein also encompass any and all possible subrangesand combinations of subranges thereof. Any listed range can be easilyrecognized as sufficiently describing and enabling the same range beingbroken down into at least equal halves, thirds, quarters, fifths,tenths, etc. As a non-limiting example, each range discussed herein canbe readily broken down into a lower third, middle third and upper third,etc. As will also be understood by one skilled in the art all languagesuch as “up to,” “at least,” “greater than,” “less than,” and the likeinclude the number recited and refer to ranges which can be subsequentlybroken down into subranges as discussed above. Finally, as will beunderstood by one skilled in the art, a range includes each individualmember. Thus, for example, a group having 1-3 cells refers to groupshaving 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers togroups having 1, 2, 3, 4, or 5 cells, and so forth.

We claim:
 1. A Radio-Frequency Identification (RFID) integrated circuitconfigured to operate in a public state and in a private state and totransition to the public state at least from the private state, the ICcomprising: a transceiver configured to exchange radio frequency (RF)signals with a reader; and a processor coupled to the transceiver andconfigured to: when the IC is operating in the public state: receive,via the transceiver, a first command containing a personalidentification number (PIN); receive, via the transceiver, a secondcommand initiating an inventory round; determine whether the PIN iscorrect; and if the PIN is correct then cause the IC to participate inthe inventory round, else cause the IC to not participate in theinventory round; and when the IC is operating in the private state:receive, via the transceiver, the second command; and cause the IC toparticipate in the inventory round regardless of whether a correct PINhas been received.
 2. The IC of claim 1, wherein the processor isconfigured to determine whether the PIN is correct by determining thatthe PIN includes a sequence of consecutive bits that corresponds to datastored by the IC.
 3. The IC of claim 1, wherein the PIN is one of: agroup PIN including at least one of a shared string and a grouppassword; and an individual IC PIN including at least one of a passwordand a salt.
 4. The IC of claim 1, wherein the processor is configuredto, when the IC is operating in the public state, cause the IC to notparticipate in the inventory round even if the PIN is correct if atleast one of: an incorrect PIN was received immediately prior to thefirst command; and the IC is in a timeout.
 5. The IC of claim 1, furthercomprising a memory, wherein the processor is further configured to,when the IC is in either the private state or the public state and thePIN is correct: receive, via the transceiver, an updated PIN; and storethe updated PIN in the memory.
 6. The IC of claim 1, wherein theprocessor is further to configured to, when the IC is in one of theprivate state or the public state: receive, via the transceiver, acommand to transition to the other of the private state or the publicstate; determine whether a correct PIN has been received; and if thecorrect PIN has been received, transition to the other of the privatestate or the public state.
 7. A Radio-Frequency Identification (RFID)integrated circuit configured to operate in a public state and in aprivate state and to transition to the public state at least from theprivate state, the IC comprising: a transceiver configured to exchangeradio frequency (RF) signals with a reader; a security gate flag; and aprocessor coupled to the transceiver and security gate flag andconfigured to: when the IC is operating in the public state: receive,via the transceiver, a first command containing verificationinformation; determine whether the verification information is correct;if the verification information is correct then place the security gateflag in an asserted state, else place the security gate flag in anunasserted state; receive, via the transceiver, a second commandinitiating an inventory round; determine whether the second commandspecifies the security gate flag in the asserted state and does notspecify the security gate flag in the unasserted state; and if thesecond command specifies the security gate flag in the asserted statethen cause the IC to participate in the inventory round, else cause theIC to not participate in the inventory round; and when the IC isoperating in the private state: receive, via the transceiver, the secondcommand; and cause the IC to participate in the inventory roundregardless of whether the second command specifies the security gateflag in the asserted state.
 8. The IC of claim 7, wherein the processoris configured to determine whether the verification information iscorrect by determining that the verification information includes asequence of consecutive bits that corresponds to data stored by the IC.9. The IC of claim 7, wherein the verification information is one of: agroup verification information including at least one of a shared stringand a group password; and an individual IC verification informationincluding at least one of a password and a salt.
 10. The IC of claim 7,wherein the first command instructs the processor to place the securitygate flag in the asserted state.
 11. The IC of claim 7, wherein theprocessor is configured to, when the IC is operating in the publicstate, cause the IC to participate in the inventory round if the secondcommand specifies the security gate flag in the asserted state and ifthe first command was received immediately prior to receiving the secondcommand.
 12. The IC of claim 7, wherein the processor is configured to,when the IC is operating in the public state, cause the IC to notparticipate in the inventory round even if the second command specifiesthe security gate flag in the asserted state if at least one of: anincorrect verification information was received immediately prior to thefirst command; and the IC is in a timeout.
 13. The IC of claim 7,further comprising a memory, wherein the processor is further configuredto, when the IC is in either the private state or the public state andthe verification information is correct: receive, via the transceiver,an updated verification information; and store the updated verificationinformation in the memory.
 14. The IC of claim 7, wherein the processoris further to configured to, when the IC is in one of the private stateor the public state: receive, via the transceiver, a command totransition to the other of the private state or the public state;determine whether a correct verification information has been received;and if the correct verification information has been received,transition to the other of the private state or the public state.
 15. ARadio-Frequency Identification (RFID) integrated circuit configured tooperate in a public state and in a private state and to transition tothe public state at least from the private state, the IC comprising: atransceiver configured to exchange radio frequency (RF) signals with areader; and a processor coupled to the transceiver and configured to:when the IC is operating in the public state: receive, via thetransceiver, a command initiating an inventory round; determine whetherthe command contains a correct verification information; and if thecommand contains the correct verification information then cause the ICto participate in the inventory round, else cause the IC to notparticipate in the inventory round; and when the IC is operating in theprivate state: receive, via the transceiver, the command; and cause theIC to participate in the inventory round regardless of whether thecommand contains the correct verification information.
 16. The IC ofclaim 15, wherein the processor is configured to determine whether theverification information is correct by determining that the verificationinformation includes a sequence of consecutive bits that corresponds todata stored by the IC.
 17. The IC of claim 15, wherein the verificationinformation is one of: a group verification information including atleast one of a shared string and a group password; and an individual ICverification information including at least one of a password and asalt.
 18. The IC of claim 15, wherein the processor is configured to,when the IC is operating in the public state, cause the IC to notparticipate in the inventory round even if the verification informationis correct if at least one of: the command does not specify a securitygate flag of the IC in an asserted state; an incorrect verificationinformation was received immediately prior to the first command; and theIC is in a timeout.
 19. The IC of claim 15, further comprising a memory,wherein the processor is further configured to, when the IC is in eitherthe private state or the public state and the verification informationis correct: receive, via the transceiver, an updated verificationinformation; and store the updated verification information in thememory.
 20. The IC of claim 15, wherein the processor is further toconfigured to, when the IC is in one of the private state or the publicstate: receive, via the transceiver, a command to transition to theother of the private state or the public state; determine whether acorrect verification information has been received; and if the correctverification information has been received, transition to the other ofthe private state or the public state.